@@ -224,11 +224,13 @@ final npmReadme = InternalConfigVariable.fn<String?>(
224224/// **Do not check this in directly.** This should only come from secure
225225/// sources.
226226///
227- /// By default this comes from the `NPM_TOKEN` environment variable.
228- final npmToken = InternalConfigVariable .fn <String >(
229- () =>
230- Platform .environment["NPM_TOKEN" ] ??
231- fail ("pkg.npmToken must be set to deploy to npm." ),
227+ /// By default this comes from the `NPM_TOKEN` environment variable. If it's not
228+ /// set, npm will use whatever tokens the system has available; this is
229+ /// necessary for using [trusted publishing] .
230+ ///
231+ /// [trusted publishing] : https://docs.npmjs.com/trusted-publishers
232+ final npmToken = InternalConfigVariable .fn <String ?>(
233+ () => Platform .environment["NPM_TOKEN" ],
232234);
233235
234236/// The [distribution tag][] to use when publishing the current `npm` package.
@@ -807,9 +809,13 @@ const _cliPkgExports = {};
807809
808810/// Publishes the contents of `build/npm` to npm.
809811Future <void > _deploy () async {
810- var file = File (".npmrc" ).openSync (mode: FileMode .writeOnlyAppend);
811- file.writeStringSync ("\n //registry.npmjs.org/:_authToken=$npmToken " );
812- file.closeSync ();
812+ if (npmToken.value case var token? ) {
813+ var file = File (".npmrc" ).openSync (mode: FileMode .writeOnlyAppend);
814+ file.writeStringSync ("\n //registry.npmjs.org/:_authToken=$token " );
815+ file.closeSync ();
816+ } else {
817+ log ("npmToken not set, using system credentials" );
818+ }
813819
814820 // The trailing slash in "build/npm/" is necessary to avoid NPM trying to
815821 // treat the path name as a GitHub repository slug.
0 commit comments